Bugs Fixed in Identity Synchronization for Windows

This section lists the bugs fixed since the last release of Identity Synchronization for Windows.

6203357

Identity Synchronization for Windows must support Group Synchronization between
Active Directory and Directory Server.

6255331

If the LDAP database is configured with subsuffix chaining, Identity Synchronization for Windows cannot
be used to modify records of the chained database. Users can only create and
delete entries in the chained database. All the operations, including creation,
deletion, and update, are possible if the plug-in is not loaded.

6306868

The secondary failover server in a failover setup must have o=NetscapeRoot DIT to configure the server.

Information on Linux is missing in the list of supported platforms
in the TO DO list when installing Identity Synchronization for Windows.

6331112

Account lockout and activation synchronization is not performed
with the new password policy attributes.

6332185

Group Type mapping for synchronization between Active Directory
and Directory Server should be implemented.

6332186

Identity Synchronization for Windows does not properly map user name attributes
for groups.

6332189

Identity Synchronization for Windows does not check if the Group and Group
members belong the same SUL.

6332300

Identity Synchronization for Windows fails to synchronize the user Creation,
Modification, and Deletion from Secondary Masters to Windows Active Directory,
when the Primary Master is down.

6332912

Identity Synchronization for Windows does not synchronize the user creation,
modification, or deletion from Directory Server to Active Directory. The
issue occurs when the primary and the Nth secondary, in a list of secondary
hosts, are down.

6333957

Administration user created by Identity Synchronization for Windows is redundant
as the administration user is no longer used. Creation of uid=admin user
should be removed.

On Linux, before installing Identity Synchronization for Windows, make sure
that the sun-sasl-2.19-4.i386.rpm package is installed
on your system. Otherwise the Identity Synchronization for Windows installation would fail.
You can get the SASL package from the shared components of the JES 5 distribution
or later.

Do not change file permissions by hand.

Changes to file permissions for installed Directory Server Enterprise Edition product
files can in some cases prevent the software from operating properly.

To workaround this limitation, install products as a user having appropriate
user and group permissions.

No failover for the Identity Synchronization for Windows core service.

If you loose the system where Identity Synchronization for Windows core services
are installed, you need to install it again. There is no failover for the Identity Synchronization for Windows core
service.

Take a backup of ou=services (configuration branch
of Identity Synchronization for Windows DIT) in LDIF format and use this information while
reinstalling Identity Synchronization for Windows.

Change in authentication behavior on Windows 2003 SP1.

When you install Windows 2003 SP1, by default users are allowed
one hour to access their accounts using their old passwords.

As a result, when users change their passwords on Active Directory,
the on-demand sync attribute dspswvalidate is set to true,
and the old password can be used to authenticate against Directory Server.
The password synchronized on Directory Server is then the prior, old password,
rather than the current Active Directory password.

Performing Data Recovery When System or Application
Fails

After hardware or application failure, you might have to restore the
data from backup in some of the synchronized directory sources.

After completing the data recovery, however, you must perform an additional
procedure to ensure that the synchronization can proceed normally.

The connectors generally maintain information about the last change
that was propagated to the message queue.

This information, which is called the connector state, is used to determine
the subsequent change that the connector has to read from its directory source.
If the database of a synchronized directory source is restored from a backup,
then the connector state might no longer be valid.

Windows-based connectors for Active Directory and for Windows NT also
maintain an internal database. The database is a copy of the synchronized
data source. The database is used to determine what has changed in the connected
data source. The internal database is no longer be valid once the connected
Windows source is restored from a backup.

In general, the idsync resync command can be used
to repopulate the recovered data source.

Note –

Resynchronization cannot be used to synchronize passwords with
one exception. The -i ALL_USERS option can be used to invalidate
passwords in Directory Server. This works if the resynchronization data
source is Windows. The SUL list must also include only Active Directory systems.

Use of the idsync resync command, however, might
not be an acceptable option in every situation.

Caution –

Before executing any of the steps detailed that follow, make
sure that synchronization is stopped.

Bidirectional Synchronization

Use the idsync resync command with the appropriate
modifier settings, according to the synchronization settings. Use the recovered
directory source as the target of the resync operation.

Unidirectional Synchronization

If recovered data source is a synchronization destination, then the
same procedure can be followed as for bidirectional synchronization.

If recovered data source is a synchronization source, then idsync
resync can still be used to repopulate the recovered directory source.
You need not change the synchronization flow settings in the Identity Synchronization
for Windows configuration. The idsync resync command allows
you to set synchronization flow independent of the configured flows with the -o Windows|Sun option.

Consider the following scenario as an example.

Bidirectional synchronization is setup between Directory Server and
Active Directory.

The database of a Microsoft Active Directory server has to
be recovered from a backup.

In Identity Synchronization for Windows, this Active Directory Source is
configured for the SUL AD.

Bidirectional synchronization for modifies, creates and deletes
is setup between this Active Directory Source and a Sun Directory Server Source.

Directory Source Specific Recovery Procedures

Microsoft Active Directory

If Active Directory can be restored from a backup, then follow the procedures
in the sections covering either bidirectional, or unidirectional synchronization.

You might, however, have to use a different domain controller after
a critical failure. In this case, follow these steps to update the configuration
of the Active Directory Connector.

To Change the Domain Controller

Start the Identity Synchronization for Windows management console.

Select the Configuration tab. Expand the Directory Sources node.

Select the appropriate Active Directory Source.

Click Edit controller, and then select the new domain controller.

Make the selected domain controller the NT PDC FSMO role owner of the
domain

Save the configuration.

Stop the Identity Synchronization service on
the host where the Active Directory Connector is running.

Delete all the files except the directories, under ServerRoot/isw-hostname/persist/ADPxxx. Here, xxx is the
number portion of the Active Directory Connector identifier.

For
example, 100 if the Active Directory Connector identifier
is CNN100.

Start the Identity Synchronization service
on the host where the Active Directory Connector is running.

Follow the steps according to your synchronization flow in the
unidirectional or the bidirectional synchronization sections.

Fail Over and Directory Server

Either the Retro Changelog database, or the database with synchronized
users, or both can be affected by a critical failure.

To Manage Directory Server Fail Over

Retro Changelog Database.

Changes in the Retro Changelog
database might have occurred that the Directory Server connector could
not process. Restoration of the Retro Changelog database only makes sense
if the backup contains some unprocessed changes. Compare the most recent entry
in the ServerRoot/isw-hostname/persist/ADPxxx/accessor.state file with the last changenumber in the backup. If the value in accessor.state is
greater than or equal to the changenumber in the backup,
do not restore the database. Instead, recreate the database.

After the Retro Changelog database is recreated, make sure that you
run idsync prepds. Alternatively, click Prepare Directory
Server from the Sun Directory Source window in the Identity Synchronization for Windows management
console.

The Directory Server connector detects that the Retro Changelog database
is recreated and log a warning message. You can safely ignore this message.

Synchronized Database.

If no backup is available for
the synchronized database, then the Directory Server connector has to be
reinstalled.

If the synchronized database can be restored from a backup, then follow
the procedures in either the bidirectional or the unidirectional synchronization
sections.

Known Identity Synchronization for Windows Issues

This section lists known issues. Known issues are associated with a
change request number.

4997513

On Windows 2003 systems, the flag that indicates the user
must change his password at the next login is set by default. On Windows 2000
systems, the flag is not set by default.

When you create users on Windows 2000 and 2003 systems with the user
must change pw at next login flag set, users are created on Directory Server with
no password. The next time the users log into Active Directory, the users
must change their passwords. The change invalidates their passwords on Directory Server.
The change also forces on-demand synchronization the next time those users
authenticate to Directory Server.

Until users change their password on Active Directory, users are not
able to authenticate to Directory Server.

5077227

Problems can occur when attempting to view the Identity Synchronization for Windows console
with PC Anywhere 10 with Remote Administration 2.1. PC Anywhere version 9.2
has been seen not to cause errors. If problems persist, remove the remote
administration software. Alternatively, VNC can be used. VNC is not known
to cause any issues when displaying the Identity Synchronization for Windows console.

5097751

If you install Identity Synchronization for Windows on a Windows system that
is formatted with FAT 32 system, then no ACLs are available. Furthermore,
no access restrictions are enforced for the setup. To ensure security, use
only Windows NTFS system to install Identity Synchronization for Windows.

6254516

When Directory Server plug-in is configured on the consumers
with command-line, the plug-in does not create a new subcomponent ID for the
consumers. The plug-in configuration does not create new IDs for consumers.

6288169

The password synchronization plug-in for Identity Synchronization for Windows tries
to bind to the Active Directory for accounts that have not been synchronized
even before checking the accountlock and passwordRetryCount.

To resolve this issue, enforce a password policy on the LDAP server.
Also, configure Access Manager to use the following filter on user search:

(| ( !(passwordRetryCount=*) ) (passwordRetryCount <=2) )

This workaround, however, throws a user not found error when too many
login attempts are made over LDAP. The workaround does not block the Active
Directory account.

6331956

Identity Synchronization for Windows console fails to start if o=NetscapeRoot is replicated.

6332197

Identity Synchronization for Windows throws errors when groups, with user
information of users not yet created, are synchronized on Directory Server.

6336471

Identity Synchronization for Windows plug-in cannot search through chained
suffixes. As a result, the modify and bind operations cannot be performed
on the Directory Server instance.

6337018

Identity Synchronization for Windows should support exporting the Identity Synchronization for Windows Configuration
to an XML file.

6386664

Identity Synchronization for Windows synchronizes user and group information
between Active Directory and Directory Server when group synchronization
feature is enabled. The synchronization should ideally happen only after issuing
the resync command from the command line.

6452425

If you install Identity Synchronization for Windows on a Solaris system where
the SUNWtls package version 3.11.0 is installed, the Administration
Server might not launch. To resolve this, uninstall the SUNWtls package
before you install Identity Synchronization for Windows.

6251334

User deletion synchronization cannot be stopped even after
changing the Active Directory source. Deletion synchronization therefore continues
when the Synchronized Users List has been mapped to a different organizational
unit, OU, in the same Active Directory Source. The user
appears to have been deleted on the Directory Server instance. The user
appears as deleted even if the user is deleted from the Active Directory source
which does not have a SUL mapping.

6335193

You might try to run the resynchronization command to synchronize
users from Directory Server to Active Directory. The creation of the group
entity fails if unsynchronized users are added to an unsynchronized group.

To resolve this issue, you should run the resync command
twice for the synchronization to happen correctly.

6339444

You can specify the scope of synchronization with the Synchronization
Users List using the Browse button on the Base DN pane. When you specify the
scope, the subsuffixes are not retrieved.

To work around this issue, add ACIs to permit anonymous access for reads
and searches.

6379804

This error occurs during upgrade of core components of Identity Synchronization for Windows to
version 1.1 SP1 on Windows systems. The updateCore.bat file
contains hard coded incorrect reference to Administration Server. As a result,
the upgrade process does not completely successfully.

To resolve this problem, users need to replace two instances of references
to Administration Server from the upgrade script.

Replace the following instructions on lines 51 and 95 of the upgrade
script. Change lines as follows.

net stop "Sun Java(TM) System Administration Server 5.2"

Instead, the lines should read as follows:

net stop admin52-serv

After making the specified changes, rerun the upgrade script.

6388872

For Windows Creation Expressions in a Directory Server to
Active Directory, the flow cn=%cn% works both for users
and groups. For every other combination, Identity Synchronization for Windows throws errors
during synchronization.

6332183

Consider a scenario where a user, dn: user1, ou=isw_data, is added to an existing group, dn: DSGroup1,ou=isw_data.
When the user is deleted from the group, that is, a Delete operation is performed,
the uniquemember of the group gets modified. Imagine the
same user is added to the group that has the same DN. For userdn:
user1, ou=isw_data, an Add operation is performed.

Identity Synchronization for Windows might log exceptions stating that the user already
exists, if the Add action flows from Directory Server to the Active Directory
before the Delete can. A race condition might occur where the add operation
is performed before the delete operation during synchronization, thus cause
Active Directory to log an exception.

6444341

The Identity Synchronization for Windows uninstallation program is not localized. WPSyncResources_X.properties files fail
to be installed in the /opt/sun/isw/locale/resources directory.

To work around this issue, copy the missing WPSyncResources_X.properties files from the installer/locale/resources directory by hand.

6444878

Install and set up Java Development Kit version 1.5.0_06 before
running Administration Server.

6444896

When performing a text-based installation of Identity Synchronization for Windows,
leaving the administrator password empty and typing return causes the installation
program to exit.

6452538

On Windows platforms, Message Queue 3.5 used by Identity Synchronization for Windows requires
a PATH value less than 1 kilobyte in length. Longer values
are truncated.

6486505

On Windows, Identity Synchronization for Windows supports only English and
Japanese locales.

6477567

In Directory Server Enterprise Edition 6.2, the Directory Server plug-in
for Identity Synchronization for Windows is installed with Directory Server installation.
The Identity Synchronization for Windows installer does not install the Directory Server plug-in.
Instead Identity Synchronization for Windows only configures the plug-in.

In this release of Identity Synchronization for Windows, the text-based installer does
not prompt you to configure the Directory Server plug-in for Identity Synchronization for Windows during
the installation process. As a workaround, run the Idsync dspluginconfig command in the terminal window after the Identity Synchronization for Windows installation
is completed.

6472296

After installation in the Japanese locale on Windows systems, Identity Synchronization for Windows user
interfaces are not fully localized.

To work around this issue, include unzip.exe in the PATH environment variable before starting the installation.

6485333

The installer and uninstaller on Windows systems are not internationalized.

Account lockout synchronization fails from Directory Server to
Active Directory when Directory Server password compatibility mode, pwd-compat-mode, is set to DS6-migration-mode, or DS6-mode.

6501886

When the Active Directory domain administrator password changes,
the Identity Synchronization for Windows Console has been seen to show a warning. The warning
shown is Invalid credentials for Host-hostname.domainnname, even when the password
used is valid.

6529349

On Solaris SPARC, Identity Synchronization for Windows might not uninstall
due to the absence of the /usr/share/lib/mps//jss4.jar file.
It happens only during the installation of the product, when the installer
detects the already installed instance of the SUNWjss package
and does not update it.

As a workaround, while installing the product, add /usr/share/lib/mps/secv1/jss4.jar in the Java class path.